Name Changer NPC

WhatFT · February 15, 2014

How it works :

Requires 1 Item like Name Changer Ticket & 50,000,000z
If player has ticket, it will change the name permanently
After changing the name, the previous name & new name will be saved sql log

I can't find a script like this so can you help me? thank you in advance!

Secrets · September 12, 2017

Answers that are vulnerable to SQL injection have been hidden.

vBrenth · September 12, 2017

1 hour ago, Secrets said:

Answers that are vulnerable to SQL injection have been hidden.

What do you mean by this?

Skorm · September 13, 2017

16 hours ago, vBrenth said:

What do you mean by this?

They forgot to use escape_sql() command when allowing the user to type things in when querying the sql server... So someone could end the statement early by adding ; then type their own stuff. Like ; DROP TABLE `accounts`; Or something much worse hahaha

Nerks · October 13, 2017

On 9/13/2017 at 10:59 AM, Skorm said:

They forgot to use escape_sql() command when allowing the user to type things in when querying the sql server... So someone could end the statement early by adding ; then type their own stuff. Like ; DROP TABLE `accounts`; Or something much worse hahaha

i don't get it....

Haruka Mayumi · October 23, 2017

It's possible for users to DROP or edit something on your database using a script like you want(though it depends on the script).. =)

Nerks · October 23, 2017

1 hour ago, Haruka Mayumi said:

It's possible for users to DROP or edit something on your database using a script like you want(though it depends on the script).. =)

Do i need to use the escape_sql() inside the query_sql " ";

Cause sometimes i use like this:

query_sql "select `id` from `table` where `id` = " + .@name;

Do i need to use escape_sql() on the .@name or just leave it like that because it is outside of the ""(double qoute)?

llchrisll · October 23, 2017

Escape_sql() is only required for text inputs, like WHERE `char_name` = '"+escape_sql(.@name$)+"'";

In the ( ) comes the text/variable/array.

Regards,

Chris

Nerks · October 23, 2017

1 hour ago, llchrisll said:

Escape_sql() is only required for text inputs, like WHERE `char_name` = '"+escape_sql(.@name$)+"'";

In the ( ) comes the text/variable/array.

Regards,

Chris

Thanks for the answer.

back to my question.. how about outside of double qoute("") on query sql just like my sample is it necessary?

Skorm · October 23, 2017

7 hours ago, Nerks said:

Thanks for the answer.

back to my question.. how about outside of double qoute("") on query sql just like my sample is it necessary?

'"+@NewName$+"'

It's not double quotes like you have. It's quotes ( " ) then single quotes ( ' ). The single quotes are for SQL to be like OK this is a string. Normal Quotes are there to break the string server side.

So what it's doing

"String '(Start SQL String) (Break NPC Compiler String)"+(.@npc_string_variable$)+"(Enter NPC String) (End SQL String)' (End NPC String)"

Edited October 23, 2017 by Skorm

Nerks · October 24, 2017

4 hours ago, Skorm said:
'"[email protected]$+"'
It's not double quotes like you have. It's quotes ( " ) then single quotes ( ' ). The single quotes are for SQL to be like OK this is a string. Normal Quotes are there to break the string server side.

So what it's doing
"String '(Start SQL String) (Break NPC Compiler String)"+(.@npc_string_variable$)+"(Enter NPC String) (End SQL String)' (End NPC String)"

Sorry for the confusion on my question.

im about to ask is the difference of this two(2).

EXAMPLE 1:

query_sql "select `field` from `table` where `field` = " + .@id, holder;

Question on EXAMPLE 1, do i need to put escape_sql() on the .@id even its outside of double qoute (")

CORRECT USAGE:

EXAMPLE 2:

query_sql "select `field` from `table` where `field` = '" + escape_sql(.@id) + "'";

This EXAMPLE 2 is commonly use each one of us..

Skorm · October 24, 2017

3 hours ago, Nerks said:

Sorry for the confusion on my question.

im about to ask is the difference of this two(2).

You only need escape_sql when dealing with string variables.

.@id is a integer variable so nobody can put an escape character like "; or something to cause harm to your database.

if the variable was .@id$ and a user put text for that .@id$ variable like '; DROP TABLE `accounts`;

MySQL would read

select `field` from `table` where `field` = ''; DROP TABLE `accounts`;

Nerks · October 24, 2017

1 hour ago, Skorm said:
You only need escape_sql when dealing with string variables.

[email protected] is a integer variable so nobody can put an escape character like "; or something to cause harm to your database.

if the variable was [email protected]$ and a user put text for that [email protected]$ variable like '; DROP TABLE `accounts`;

MySQL would read
select `field` from `table` where `field` = ''; DROP TABLE `accounts`;

Now i get it. even on my EXAMPLE 1 i need to put escape_sql.

It's more safer to you use escape_sql on every variable.

little code MAXIMUM Effects /no1

llchrisll · October 24, 2017

Not really, since escape_sql converts "John's" into "John\'s", like described in the script_commands.txt, so it's only necessary for string input.

Edited October 24, 2017 by llchrisll

Sign In

Name Changer NPC

Question

Link to comment

Share on other sites

13 answers to this question

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members